Home page logo

oss-sec logo oss-sec mailing list archives

Re: [oCERT-2011-003] multiple implementations denial-of-service via hash algorithm collision
From: Solar Designer <solar () openwall com>
Date: Sun, 1 Jan 2012 10:24:23 +0400

On Thu, Dec 29, 2011 at 11:58:21PM +0100, Andrea Barisani wrote:
As stated in our timeline the embargo date was requested by reporters:
"2011-09-25: vulnerability report received, reporters set embargo date to December 27th"

Our disclosure policy also says:
"- in any circumstance reporter preference will always be honoured in case a
joint agreement is not reached, as oCERT would be anyway unable to force its

We tried to negotiate an earlier embargo time as, obviously, many complained
about the unfortunate timing considering xmas holidays but the reporters really
wanted to release this after the CCC talk.

It is oCERT policy to not leak reports before the desired date set by the
reporters if a more favourable one is not agreed upon.

Hope this clarifies the exception.

It does (at least for me).  I just felt that this needed to be said.

Thank you!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]